The OWASP Orange County email list can be found here [http://lists.owasp.org/mailman/listinfo/owasp-Orange_County http://lists.owasp.org/mailman/listinfo/owasp-Orange_County].

−

Join us and RSVP to our meeting there <br>

+

−

http://www.meetup.com/OWASP-OC

+

−

== Sponsor ==

+

The chapter leader is [mailto:ron.perris@owasp.org Ron Perris].

−

HP Enterprise Security

+

−

==Future Meetings ==

+

= Past Meetings =

−

==== May 21th 2013====

+

==== September 17th 2013 ====

−

'''Topic: Top Ten Web Defenses'''<br>

+

'''Topic: Demonstration of Common Web Vulnerabilities using WebGoat.NET'''<br>

−

'''Presenter: Jim Manico<br>'''

+

−

'''Summary:''' <br>

+

−

Title: Top Ten Web Defenses

+

−

We cannot “firewall” or “patch” our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day. Citigroup, PBS, Sega, Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE, Zynga, and thousands of others have something in common – all have had websites compromised in the last year. No company or industry is immune. Programmers need to learn to build websites differently. This talk will review the top coding techniques developers need to master in order to build a low-risk, high-security web application.

+

'''Presenter: Jerry Hoff'''<br>

−

+

'''Summary:''' Developers cannot defend against unknown threats. Understanding vulnerabilities and security controls is an absolute necessity – not only for developers, but for Architects, QA and anyone else involved in the creation of software. This talk starts by making a strong argument for developer education, and how it fits into any organization’s SDLC. From there, we discuss other OWASP resources and projects dedicated to developer education, and an in-depth discussion of OWASP WebGoat.NET – an ASP.NET specific re-design of OWASP which meets the needs and addresses the challenges of modern application security training programs.

security awareness training for WhiteHat Security and has a background as a software developer and architect. Jim is also a global board member for the OWASP foundation. He manages and participates in several OWASP projects, including the OWASP cheat sheet series and the OWASP podcast series.<br>

'''Summary:''' Not your uncle's "What's a WAF?" talk. I discuss basic of mod_security and how to extend your rule sets with lua scripts. Implementing automated response systems, better analytics on attacks and introducing counterintelligence tools all using an open source WAF.

−

==== January 17th 2013====

+

'''Speaker Bio:''' A Security Researcher for Trustwave SpiderLabs, and part of the California security scene for the past decade. Previous to my work with SpiderLabs I worked as the security architect for a shared hosting company (who managed the web application firewall configuration for all 1mil+ websites hosted on the network).

"With daily code releases and a growing infrastructure, manually reviewing code changes and protecting against security regressions quickly becomes impractical. Even when using security tools, whether commercial or open source, the difficult work of integrating them into the development and security cycles remains. We need to use an automated approach to push these tools as close to when the code is written as possible, allowing us to prevent potential vulnerabilities before they are shipped. We worked with development, operations, and release teams to create a targeted suite of tools focused on specific security concerns that are effective and don’t introduce any noise. This presentation will give an overview of what we’ve done over the past year, what we have learned along the way, and will provide advice for anyone else going down this road as well as the philosophy that guided us along the way."<br>

'''Summary:''' The presentation will discuss the nature and application of BSIMM, a software security maturity model in use by many major companies. It will cover how BSIMM came about, how it is applied, and how companies use the results to increase their software security budgets and strengthen their software security programs.

'''Jerry Hoff VP, Static Code Analysis Division at WhiteHat Security, will be speaking about Webgoat. Shakeel Tufail, Federal Practice Director for HP Enterprise Security Solutions, will be speaking on securing software. Noa Bar Yosef, Senior Security Strategist at Imperva, will be speaking on "De-Anonymizing Anonymous". A concluding panel, moderated by Richard Greenberg, Information Security Officer for LA County Public Health, will have the speakers joined by Adnan Masood, a Software Engineer and Architect.

+

'''Summary:''' We cannot “firewall” or “patch” our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day. Citigroup, PBS, Sega, Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE, Zynga, and thousands of others have something in common – all have had websites compromised in the last year. No company or industry is immune. Programmers need to learn to build websites differently. This talk will review the top coding techniques developers need to master in order to build a low-risk, high-security web application.

+

'''Speaker Bio:''' Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. He authors and delivers developer security awareness training for WhiteHat Security and has a background as a software developer and architect. Jim is also a global board member for the OWASP foundation. He manages and participates in several OWASP projects, including the OWASP cheat sheet series and the OWASP podcast series.

Jerry Hoff, the project leader of the OWASP Appsec Tutorial Series, and VP of the Static Code Analysis Division at WhiteHat Security, will be discussing his newest OWASP project, WebGoat.NET. For many years, the Java version of WebGoat has been available as a fantastic tool for learning application security from the Java perspective. Jerry has now created a parallel tool for ASP.NET developers to learn about application security. Jerry will be discussing how this tool can be used in a learning environment, and other issues related to application security education.

+

−

====Speaker Bio:====

+

'''Presenter: Neil Matatall and Justin Collins'''

−

Jerry Hoff is vice president of the Static Code Analysis division at WhiteHat Security. In this role, he oversees the development of WhiteHats cloud-based static application security testing (SAST) service. Prior to WhiteHat, Mr. Hoff was co-founder and managing partner ofInfrared Security, a leading application security professional services firm. Mr. Hoff is an experienced application security consultant with years of professional development and training delivery. He is also the lead of the OWASP AppSec Tutorial Series.

+

+

'''Summary:''' "With daily code releases and a growing infrastructure, manually reviewing code changes and protecting against security regressions quickly becomes impractical. Even when using security tools, whether commercial or open source, the difficult work of integrating them into the development and security cycles remains. We need to use an automated approach to push these tools as close to when the code is written as possible, allowing us to prevent potential vulnerabilities before they are shipped. We worked with development, operations, and release teams to create a targeted suite of tools focused on specific security concerns that are effective and don’t introduce any noise. This presentation will give an overview of what we’ve done over the past year, what we have learned along the way, and will provide advice for anyone else going down this road as well as the philosophy that guided us along the way."

−

==== September 14th 2011 7PM ====

+

'''Where:''' Crescent Solutions

+

17871 Mitchell N # 100, Irvine, CA

−

When: Wednesday September 17th 7pm

+

'''Schedule:'''

−

Where: TBD (Irvine)

+

−

http://www.meetup.com/ocrails/events/30043551/

+

−

Loose Schedule:

+

6:00 - 6:30: Introduction and networking

−

7:00 - 7:30: Introduction and networking

+

−

7:30 - 8:00: Brakeman with Justin Collins

+

−

8:00 - 8:15: Lightning Rounds

+

−

8:15 - 8:30: Brakeman Demo

+

+

6:30 - 7:10: Presentation

−

Brakeman with Justin Collins:

+

'''RSVP here http://www.meetup.com/OWASP-OC'''

−

While the popular Ruby on Rails web framework provides built-in protection

+

−

for many security vulnerabilities, it is still possible to misuse these

+

−

features or introduce other vulnerabilities to an application. Brakeman is a static code analysis tool designed specifically to find vulnerabilities and configuration issues in Ruby on Rails applications. Since it works at the source code level, Brakeman can be used at any point in development without the need for deploying the full application stack. To make it even simpler,

+

−

Brakeman can be integrated with Hudson/Jenkins to provide automatic monitoring of Brakeman results as code is committed. This talk will discuss how to use Brakeman and how it can help you create safer Rails applications.

+

−

Lightning Rounds:

+

==== March 28th 2012 ====

−

Neil Matatall: Friendly_id + ancsetry

+

'''Topic: WebGoat.NET'''

−

Drew Deponte: Guard, spork, BDD

+

'''Presenter: Jerry Hoff'''

−

==== June 29th 2011 7PM ====

+

'''Summary:''' Jerry Hoff will be discussing his newest OWASP project, WebGoat.NET. For many years, the Java version of WebGoat has been available as a fantastic tool for learning application security from the Java perspective. Jerry has now created a parallel tool for ASP.NET developers to learn about application security. Jerry will be discussing how this tool can be used in a learning environment, and other issues related to application security education.

−

[[http://owaspoc.eventbrite.com/ Registration Link]]

+

'''Speaker Bio:''' Jerry Hoff is vice president of the Static Code Analysis division at WhiteHat Security. In this role, he oversees the development of WhiteHats cloud-based static application security testing (SAST) service. Prior to WhiteHat, Mr. Hoff was co-founder and managing partner ofInfrared Security, a leading application security professional services firm. Mr. Hoff is an experienced application security consultant with years of professional development and training delivery. He is also the lead of the OWASP AppSec Tutorial Series.

−

'''When''': Wednesday june 29th, 2011 7pm

+

'''Where:'''

+

Irvine - 5151 California Ave, Irvine, CA 92617

−

'''Where: HireRight Offices'''

+

'''Schedule:'''

−

5151 California Avenue

+

−

Irvine, CA 92617

+

−

'''Pizza and refreshments will be provided by the sponsors of this meeting.

+

7:00 - 7:30: Introduction and networking

−

'''

+

−

===== Meeting Sponsors =====

+

7:30 - 8:30: Presentation

−

+

−

Food and refreshments:

+

−

[[File:AppSecDC2010-Sponsor-trustwave.gif]]

+

−

Meeting location:

+

==== September 14th 2011 ====

−

[[File:Hireright.png]]

+

−

+

−

===== Presentation Topic: =====

+

−

Featuring analysis of more than 220 data breach investigations and more than 2,300 penetration tests conducted by Trustwave's SpiderLabs, the Global Security Report 2011 identifies the top vulnerabilities business encountered in 2010 as well as a list of strategic initiatives to help your business improve its overall security.

+

−

+

−

The data gathered from these engagements is substantial and comprehensive. This presentation will be a summary of the results of the analysis of the data gathered during 2010. The results will be presented both technical and business impact analysis.

Henderson began his career in computer security in 1993, specializing in penetration testing as well as security and vulnerability research. As Director of Application Security Services at SpiderLabs, he leads the team responsible for Application Penetration Testing, Code Review, Secure Development Training, and other elite application security consulting services.

+

−

+

−

Prior to joining SpiderLabs, Henderson ran his own boutique application

+

−

security testing firm. Henderson’s firm provided offensive security services to a wide variety of clients in the United States and Europe.

'''Summary:''' While the popular Ruby on Rails web framework provides built-in protection for many security vulnerabilities, it is still possible to misuse these features or introduce other vulnerabilities to an application. Brakeman is a static code analysis tool designed specifically to find vulnerabilities and configuration issues in Ruby on Rails applications. Since it works at the source code level, Brakeman can be used at any point in development without the need for deploying the full application stack. To make it even simpler, Brakeman can be integrated with Hudson/Jenkins to provide automatic monitoring of Brakeman results as code is committed. This talk will discuss how to use Brakeman and how it can help you create safer Rails applications.

''Summary:''' Featuring analysis of more than 220 data breach investigations and more than 2,300 penetration tests conducted by Trustwave's SpiderLabs, the Global Security Report 2011 identifies the top vulnerabilities business encountered in 2010 as well as a list of strategic initiatives to help your business improve its overall security. The data gathered from these engagements is substantial and comprehensive. This presentation will be a summary of the results of the analysis of the data gathered during 2010. The results will be presented both technical and business impact analysis.

−

countries, and his work has been featured on the front page of the New

+

−

York Times. As a grey-hat hacker, he makes and breaks computer

+

'''Speaker Bio:''' Charles Henderson began his career in computer security in 1993, specializing in penetration testing as well as security and vulnerability research. As Director of Application Security Services at SpiderLabs, he leads the team responsible for Application Penetration Testing, Code Review, Secure Development Training, and other elite application security consulting services. Prior to joining SpiderLabs, Henderson ran his own boutique application security testing firm. Henderson’s firm provided offensive security services to a wide variety of clients in the United States and Europe. Henderson speaks frequently at major industry events and conferences, including BlackHat, DEF CON, AppSec US, AppSec EU, SOURCE, and the International Association of Financial Crime Investigators convention.

−

security for tech companies. In addition to his independent security

+

−

research, he co-founded Fonality, an IP PBX company.

+

−

'''Jim Manico'''

+

'''Where:''' HireRight Offices

+

5151 California Avenue

+

Irvine, CA 92617

−

Back to Basics: Defensive Coding Principles for Web Development 101

+

'''RSVP:''' [http://owaspoc.eventbrite.com/ Here]

−

The application security community is in deep need of prescriptive

+

'''Pizza and refreshments will be provided by the sponsors of this meeting.'''

−

solutions for developers. This talk will review the world of Web

+

−

Application Security from a "builder" point of view, focusing on

+

Food and refreshments:

−

critical controls that all developers must master if they wish to build

+

[[File:AppSecDC2010-Sponsor-trustwave.gif]]

−

low risk web applications today.

+

−

Bio:

+

Meeting location:

+

[[File:Hireright.png]]

−

Jim Manico is the chair of the OWASP Connections committee where he

+

====January 28th, 2011====

−

focuses on producing and hosting the OWASP Podcast. Jim also is a

+

−

co-manager of the OWASP ESAPI Open Source project. Professionally, Jim

'''Speaker Bio:''' Samy Kamkar has lectured on computer security issues in over a dozen countries, and his work has been featured on the front page of the New York Times. As a grey-hat hacker, he makes and breaks computer security for tech companies. In addition to his independent security research, he co-founded Fonality, an IP PBX company.

−

Threat Modeling is one of the most important security activities that a development/QA team needs to perform as part of a Security Development Lifecycle. This activity allows the team to build a complete security profile of the system being built. Threat Modeling is not always easy to get going for a team that has little or no security experience. In this presentation we’ll take a look at why Threat Modeling is so important; we’ll explore the process behind it, and how the process is being implemented and followed across Symantec.

+

'''Topic: Back to Basics, Defensive Coding Principles for Web Development 101'''

−

Bio:

+

'''Presenter: Jim Manico'''

−

Edward Bonver is a principal software engineer on the product security team under the Office of the CTO at Symantec Corporation. In this capacity, Edward is responsible for working with software developers and quality assurance (QA) professionals across Symantec to continuously enhance the company’s software security practices through the adoption of methodologies, procedures and tools for secure coding and security testing. Within Symantec, Edward teaches secure coding and security testing classes for Symantec engineers, and also leads the company’s QA Security Task Force, which he founded. Prior to joining Symantec, Edward held software engineering and QA roles at Digital Equipment Corporation, Nbase and Zuma Networks.

+

'''Summary:''' The application security community is in deep need of prescriptive solutions for developers. This talk will review the world of Web Application Security from a "builder" point of view, focusing on critical controls that all developers must master if they wish to build low risk web applications today.

+

'''Speaker Bio:''' Jim Manico is the chair of the OWASP Connections committee where he focuses on producing and hosting the OWASP Podcast. Jim also is a co-manager of the OWASP ESAPI Open Source project. Professionally, Jim is an independent application security architect specializing in the construction of low-risk web applications. Jim is also an application security educator and assessment specialist.

−

Edward is a Certified Information Systems Security Professional (CISSP) and a Certified Secure Software Lifecycle Professional (CSSLP). He holds a master’s degree in computer science from California State University, Northridge, and a bachelor’s degree in computer science from Rochester Institute of Technology. Edward is a Ph.D. student at NOVA Southeastern University.

'''Summary:''' Threat Modeling is one of the most important security activities that a development/QA team needs to perform as part of a Security Development Lifecycle. This activity allows the team to build a complete security profile of the system being built. Threat Modeling is not always easy to get going for a team that has little or no security experience. In this presentation we’ll take a look at why Threat Modeling is so important; we’ll explore the process behind it, and how the process is being implemented and followed across Symantec.

−

Time: 7:30

+

'''Speaker Bio:''' Edward Bonver is a principal software engineer on the product security team under the Office of the CTO at Symantec Corporation. In this capacity, Edward is responsible for working with software developers and quality assurance (QA) professionals across Symantec to continuously enhance the company’s software security practices through the adoption of methodologies, procedures and tools for secure coding and security testing. Within Symantec, Edward teaches secure coding and security testing classes for Symantec engineers, and also leads the company’s QA Security Task Force, which he founded. Prior to joining Symantec, Edward held software engineering and QA roles at Digital Equipment Corporation, Nbase and Zuma Networks. Edward is a Certified Information Systems Security Professional (CISSP) and a Certified Secure Software Lifecycle Professional (CSSLP). He holds a master’s degree in computer science from California State University, Northridge, and a bachelor’s degree in computer science from Rochester Institute of Technology. Edward is a Ph.D. student at NOVA Southeastern University.

−

Location: We will be meeting in the Anteater Instruction and Research Building on the UC Irvine campus. The building itself is inside of the Anteater Parking Structure at the corner of E. Peltason Dr and Anteater Dr and is room number 1020. Parking is $7 but feel free to park off campus and walk to the building. http://www.oit.uci.edu/computing/labs/training.html Buliding #653 in quadrant H9 on the campus map - http://today.uci.edu/pdf/UCI_09_map_campus_core.pdfBD

+

−

For those who would like to avoid paying for parking, you can park in the University Center and take the campus shuttle: http://www.shuttle.uci.edu/maincampus/index.php

+

'''Schedule:'''

−

The shuttle runs until 10:45PM. The shuttle costs $1 per ride, but fees are rarely collected ;)

+

1 PM - 5PM

+

+

'''Where:'''

+

+

5151 California Ave

+

Irvine, California 92617

+

United States.

+

+

RSVP: [https://www.regonline.com/owasp_oc_jan Here]

+

+

====Thursday, January 21st 2010====

−

Title: Do VLANs allow for good application security?

+

'''Topic: Do VLANs allow for good application security?'''

−

Virtual Local Area Networks (VLANs) are not a new concept, and can help

+

'''Presenter: David M. N. Bryan'''

+

+

'''Summary:''' Virtual Local Area Networks (VLANs) are not a new concept, and can help

any organization better control network access. I will present some of

any organization better control network access. I will present some of

the previous issues identified, what was the root cause, and how these

the previous issues identified, what was the root cause, and how these

Line 267:

Line 242:

of the most hostile networks in the world.

of the most hostile networks in the world.

−

David M. N. Bryan

+

'''Speaker Bio:'''

−

Senior Security Consultant

+

−

+

David has over 9+ years of computer security experience including,

David has over 9+ years of computer security experience including,

consulting, engineering and administration. He has performed security

consulting, engineering and administration. He has performed security

Line 285:

Line 258:

security and architecture of information computing environments.

security and architecture of information computing environments.

+

'''Schedule:'''

−

====Thursday December 17th 2009====

+

7:30 -

−

7:30 PM, UC Irvine Campus, Room AIRB 1020

+

'''Where:''' We will be meeting in the Anteater Instruction and Research Building on the UC Irvine campus. The building itself is inside of the Anteater Parking Structure at the corner of E. Peltason Dr and Anteater Dr and is room number 1020. Parking is $7 but feel free to park off campus and walk to the building. http://www.oit.uci.edu/computing/labs/training.html Buliding #653 in quadrant H9 on the campus map - http://today.uci.edu/pdf/UCI_09_map_campus_core.pdfBD

+

For those who would like to avoid paying for parking, you can park in the University Center and take the campus shuttle: http://www.shuttle.uci.edu/maincampus/index.php

−

We will be meeting in the Anteater Instruction and Research Building on the UC Irvine campus. The building itself is inside of the Anteater Parking Structure at the corner of E. Peltason Dr and Anteater Dr and is room number 1020. Parking is $7 but feel free to park off campus and walk to the building.

+

The shuttle runs until 10:45PM. The shuttle costs $1 per ride, but fees are rarely collected ;)

'''Title: Pulling the Plug: Security Risks in the Next Generation of Offline Web Applications'''

+

'''Topic: Pulling the Plug: Security Risks in the Next Generation of Offline Web Applications'''

+

'''Presenter:''' Michael Sutton

+

+

'''Summary:'''

As the line between desktop and web applications becomes increasingly blurry in a web 2.0 world, browser functionality is being pushed well beyond what it was originally intended for. Persistent client side storage has become a requirement for web applications if they are to be available both online and off. This need is being filled by a variety of technologies such as [http://webkit.org/blog/126/webkit-does-html5-client-side-database-storage Gears (formerly Google Gears) and the Database Storage] functionality included in the emerging [http://dev.w3.org/html5/spec/Overview.html HTML 5 specification]. While all such technologies offer great promise, it is clear that the vast majority of developers simply do not understand their security implications.

As the line between desktop and web applications becomes increasingly blurry in a web 2.0 world, browser functionality is being pushed well beyond what it was originally intended for. Persistent client side storage has become a requirement for web applications if they are to be available both online and off. This need is being filled by a variety of technologies such as [http://webkit.org/blog/126/webkit-does-html5-client-side-database-storage Gears (formerly Google Gears) and the Database Storage] functionality included in the emerging [http://dev.w3.org/html5/spec/Overview.html HTML 5 specification]. While all such technologies offer great promise, it is clear that the vast majority of developers simply do not understand their security implications.

Researching a variety of currently deployed implementations of these technologies has revealed a broad scope of vulnerabilities with frightening implications. Now attackers can target victims not just once, but every time they visit a site as the victim now carries and stores the attack with them. Imagine a scenario whereby updated confidential information is forwarded to an attacker every time a victim interacts with a given we application. The attacker no longer needs to worry about timing their attacks to ensure that the victim is authenticated as the victim attacks himself! Limited storage? Cookies that expire? Not a problem when entire databases are accessible with virtually unlimited storage and an infinite lifespan. Think these attacks are theoretical? Think again. In this talk we dive into these technologies and break down the risk posed by them when not properly understood. We will then detail a variety of real-world vulnerabilities that have been uncovered, including a new class of cross-site scripting and client-side SQL injection.

Researching a variety of currently deployed implementations of these technologies has revealed a broad scope of vulnerabilities with frightening implications. Now attackers can target victims not just once, but every time they visit a site as the victim now carries and stores the attack with them. Imagine a scenario whereby updated confidential information is forwarded to an attacker every time a victim interacts with a given we application. The attacker no longer needs to worry about timing their attacks to ensure that the victim is authenticated as the victim attacks himself! Limited storage? Cookies that expire? Not a problem when entire databases are accessible with virtually unlimited storage and an infinite lifespan. Think these attacks are theoretical? Think again. In this talk we dive into these technologies and break down the risk posed by them when not properly understood. We will then detail a variety of real-world vulnerabilities that have been uncovered, including a new class of cross-site scripting and client-side SQL injection.

−

'''Bio'''

+

'''Speaker Bio:'''

−

+

−

'''Michael Sutton'''

+

−

'''Vice President, Security Research – Zscaler'''

+

Michael Sutton has spent more than a decade in the security industry conducting leading-edge research, building teams of world-class researchers and educating others on a variety of security topics. As VP of Security Research, Michael heads Zscaler Labs, the research and development arm of the company. Zscaler Labs is responsible for researching emerging topics in web security and developing innovative security controls, which leverage the Zscaler in-the-cloud model. The team is comprised of researchers with a wealth of experience in the security industry.

Michael Sutton has spent more than a decade in the security industry conducting leading-edge research, building teams of world-class researchers and educating others on a variety of security topics. As VP of Security Research, Michael heads Zscaler Labs, the research and development arm of the company. Zscaler Labs is responsible for researching emerging topics in web security and developing innovative security controls, which leverage the Zscaler in-the-cloud model. The team is comprised of researchers with a wealth of experience in the security industry.

Line 312:

Line 285:

Prior to joining Zscaler, Michael was the Security Evangelist for SPI Dynamics where, as an industry expert, he was responsible for researching, publishing and presenting on various security issues. In 2007, SPI Dynamics was acquired by Hewlett-Packard. Previously, Michael was a Research Director at iDefense where he led iDefense Labs, a team responsible for discovering and researching security vulnerabilities in a variety of technologies. iDefense was acquired by VeriSign in 2005. Michael is a frequent speaker at major information security conferences; he is regularly quoted by the media on various information security topics, has authored numerous articles and is the co-author of Fuzzing: Brute Force Vulnerability Discovery, an Addison-Wesley publication.

Prior to joining Zscaler, Michael was the Security Evangelist for SPI Dynamics where, as an industry expert, he was responsible for researching, publishing and presenting on various security issues. In 2007, SPI Dynamics was acquired by Hewlett-Packard. Previously, Michael was a Research Director at iDefense where he led iDefense Labs, a team responsible for discovering and researching security vulnerabilities in a variety of technologies. iDefense was acquired by VeriSign in 2005. Michael is a frequent speaker at major information security conferences; he is regularly quoted by the media on various information security topics, has authored numerous articles and is the co-author of Fuzzing: Brute Force Vulnerability Discovery, an Addison-Wesley publication.

+

'''Schedule:'''

+

+

7:30 PM -

+

+

'''Where:'''

+

+

UC Irvine Campus, Room AIRB 1020

+

+

We will be meeting in the Anteater Instruction and Research Building on the UC Irvine campus. The building itself is inside of the Anteater Parking Structure at the corner of E. Peltason Dr and Anteater Dr and is room number 1020. Parking is $7 but feel free to park off campus and walk to the building.

* <b>The Rise of Threat Analysis and the Fall of Compliance, Policies, and Standards in mitigating Web Application Security Risks</b>

* <b>The Rise of Threat Analysis and the Fall of Compliance, Policies, and Standards in mitigating Web Application Security Risks</b>

−

−

====Apr 30, 2009 6:30PM-8:30PM====

====Apr 30, 2009 6:30PM-8:30PM====

Line 362:

Line 345:

Come talk application security at the third OWASP OC meeting. We'll discuss current application security topics and chapter issues over pizza. We have a room booked for 15-20 people so we'll be able to rant without disturbing the patrons :) See you there! [https://www.owasp.org/images/5/58/Cloud_Computing_Security.pdf Presentation Slides]

Come talk application security at the third OWASP OC meeting. We'll discuss current application security topics and chapter issues over pizza. We have a room booked for 15-20 people so we'll be able to rant without disturbing the patrons :) See you there! [https://www.owasp.org/images/5/58/Cloud_Computing_Security.pdf Presentation Slides]

−

====Dec 17, 2008 6PM - 9PM====

====Dec 17, 2008 6PM - 9PM====

Line 371:

Line 353:

This meeting will be a roundtable discussion of application security news, plus a few OWASP-themed challenges with prizes. Pizza will be provided and we'll head to the Yard House after the meeting.

This meeting will be a roundtable discussion of application security news, plus a few OWASP-themed challenges with prizes. Pizza will be provided and we'll head to the Yard House after the meeting.

September 17th 2013

Topic: Demonstration of Common Web Vulnerabilities using WebGoat.NET

Presenter: Jerry Hoff

Summary: Developers cannot defend against unknown threats. Understanding vulnerabilities and security controls is an absolute necessity – not only for developers, but for Architects, QA and anyone else involved in the creation of software. This talk starts by making a strong argument for developer education, and how it fits into any organization’s SDLC. From there, we discuss other OWASP resources and projects dedicated to developer education, and an in-depth discussion of OWASP WebGoat.NET – an ASP.NET specific re-design of OWASP which meets the needs and addresses the challenges of modern application security training programs.

August 15th 2013

Topic: Teaching your WAF new tricks

Presenter: Robert Rowley, Security Researcher

Summary: Not your uncle's "What's a WAF?" talk. I discuss basic of mod_security and how to extend your rule sets with lua scripts. Implementing automated response systems, better analytics on attacks and introducing counterintelligence tools all using an open source WAF.

Speaker Bio: A Security Researcher for Trustwave SpiderLabs, and part of the California security scene for the past decade. Previous to my work with SpiderLabs I worked as the security architect for a shared hosting company (who managed the web application firewall configuration for all 1mil+ websites hosted on the network).

Where: Crescent Solutions 17871 Mitchell N # 100, Irvine, CA

Schedule:

6:00 - 6:30: Introduction and networking

6:30 - 7:10: Presentation

RSVP:

July 18th 2013

Topic: BSIMM

Presenter: Carl Schwarcz, Managing Consulting Cigital, Inc.

Summary: The presentation will discuss the nature and application of BSIMM, a software security maturity model in use by many major companies. It will cover how BSIMM came about, how it is applied, and how companies use the results to increase their software security budgets and strengthen their software security programs.

May 21th 2013

Topic: Top Ten Web Defenses

Presenter: Jim Manico

Summary: We cannot “firewall” or “patch” our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day. Citigroup, PBS, Sega, Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE, Zynga, and thousands of others have something in common – all have had websites compromised in the last year. No company or industry is immune. Programmers need to learn to build websites differently. This talk will review the top coding techniques developers need to master in order to build a low-risk, high-security web application.

Speaker Bio: Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. He authors and delivers developer security awareness training for WhiteHat Security and has a background as a software developer and architect. Jim is also a global board member for the OWASP foundation. He manages and participates in several OWASP projects, including the OWASP cheat sheet series and the OWASP podcast series.

January 17th 2013

Topic: Putting your robots to work: security automation at Twitter

Presenter: Neil Matatall and Justin Collins

Summary: "With daily code releases and a growing infrastructure, manually reviewing code changes and protecting against security regressions quickly becomes impractical. Even when using security tools, whether commercial or open source, the difficult work of integrating them into the development and security cycles remains. We need to use an automated approach to push these tools as close to when the code is written as possible, allowing us to prevent potential vulnerabilities before they are shipped. We worked with development, operations, and release teams to create a targeted suite of tools focused on specific security concerns that are effective and don’t introduce any noise. This presentation will give an overview of what we’ve done over the past year, what we have learned along the way, and will provide advice for anyone else going down this road as well as the philosophy that guided us along the way."

March 28th 2012

Topic: WebGoat.NET

Presenter: Jerry Hoff

Summary: Jerry Hoff will be discussing his newest OWASP project, WebGoat.NET. For many years, the Java version of WebGoat has been available as a fantastic tool for learning application security from the Java perspective. Jerry has now created a parallel tool for ASP.NET developers to learn about application security. Jerry will be discussing how this tool can be used in a learning environment, and other issues related to application security education.

Speaker Bio: Jerry Hoff is vice president of the Static Code Analysis division at WhiteHat Security. In this role, he oversees the development of WhiteHats cloud-based static application security testing (SAST) service. Prior to WhiteHat, Mr. Hoff was co-founder and managing partner ofInfrared Security, a leading application security professional services firm. Mr. Hoff is an experienced application security consultant with years of professional development and training delivery. He is also the lead of the OWASP AppSec Tutorial Series.

Where:
Irvine - 5151 California Ave, Irvine, CA 92617

Schedule:

7:00 - 7:30: Introduction and networking

7:30 - 8:30: Presentation

September 14th 2011

Topic: Brakeman, a Ruby on Rails Vulnerability Scanner

Presenter: Justin Collins

Summary: While the popular Ruby on Rails web framework provides built-in protection for many security vulnerabilities, it is still possible to misuse these features or introduce other vulnerabilities to an application. Brakeman is a static code analysis tool designed specifically to find vulnerabilities and configuration issues in Ruby on Rails applications. Since it works at the source code level, Brakeman can be used at any point in development without the need for deploying the full application stack. To make it even simpler, Brakeman can be integrated with Hudson/Jenkins to provide automatic monitoring of Brakeman results as code is committed. This talk will discuss how to use Brakeman and how it can help you create safer Rails applications.

June 29th 2011

Topic: Global Security Report 2011

Presenter: Charles Henderson

Summary:' Featuring analysis of more than 220 data breach investigations and more than 2,300 penetration tests conducted by Trustwave's SpiderLabs, the Global Security Report 2011 identifies the top vulnerabilities business encountered in 2010 as well as a list of strategic initiatives to help your business improve its overall security. The data gathered from these engagements is substantial and comprehensive. This presentation will be a summary of the results of the analysis of the data gathered during 2010. The results will be presented both technical and business impact analysis.

Speaker Bio: Charles Henderson began his career in computer security in 1993, specializing in penetration testing as well as security and vulnerability research. As Director of Application Security Services at SpiderLabs, he leads the team responsible for Application Penetration Testing, Code Review, Secure Development Training, and other elite application security consulting services. Prior to joining SpiderLabs, Henderson ran his own boutique application security testing firm. Henderson’s firm provided offensive security services to a wide variety of clients in the United States and Europe. Henderson speaks frequently at major industry events and conferences, including BlackHat, DEF CON, AppSec US, AppSec EU, SOURCE, and the International Association of Financial Crime Investigators convention.

Pizza and refreshments will be provided by the sponsors of this meeting.

Food and refreshments:

Meeting location:

January 28th, 2011

Topic: Online Privacy and the Evercookie

Presenter: Samy Kamkar

Speaker Bio: Samy Kamkar has lectured on computer security issues in over a dozen countries, and his work has been featured on the front page of the New York Times. As a grey-hat hacker, he makes and breaks computer security for tech companies. In addition to his independent security research, he co-founded Fonality, an IP PBX company.

Topic: Back to Basics, Defensive Coding Principles for Web Development 101

Presenter: Jim Manico

Summary: The application security community is in deep need of prescriptive solutions for developers. This talk will review the world of Web Application Security from a "builder" point of view, focusing on critical controls that all developers must master if they wish to build low risk web applications today.

Speaker Bio: Jim Manico is the chair of the OWASP Connections committee where he focuses on producing and hosting the OWASP Podcast. Jim also is a co-manager of the OWASP ESAPI Open Source project. Professionally, Jim is an independent application security architect specializing in the construction of low-risk web applications. Jim is also an application security educator and assessment specialist.

Summary: Threat Modeling is one of the most important security activities that a development/QA team needs to perform as part of a Security Development Lifecycle. This activity allows the team to build a complete security profile of the system being built. Threat Modeling is not always easy to get going for a team that has little or no security experience. In this presentation we’ll take a look at why Threat Modeling is so important; we’ll explore the process behind it, and how the process is being implemented and followed across Symantec.

Speaker Bio: Edward Bonver is a principal software engineer on the product security team under the Office of the CTO at Symantec Corporation. In this capacity, Edward is responsible for working with software developers and quality assurance (QA) professionals across Symantec to continuously enhance the company’s software security practices through the adoption of methodologies, procedures and tools for secure coding and security testing. Within Symantec, Edward teaches secure coding and security testing classes for Symantec engineers, and also leads the company’s QA Security Task Force, which he founded. Prior to joining Symantec, Edward held software engineering and QA roles at Digital Equipment Corporation, Nbase and Zuma Networks. Edward is a Certified Information Systems Security Professional (CISSP) and a Certified Secure Software Lifecycle Professional (CSSLP). He holds a master’s degree in computer science from California State University, Northridge, and a bachelor’s degree in computer science from Rochester Institute of Technology. Edward is a Ph.D. student at NOVA Southeastern University.

Thursday, January 21st 2010

Topic: Do VLANs allow for good application security?

Presenter: David M. N. Bryan

Summary: Virtual Local Area Networks (VLANs) are not a new concept, and can help
any organization better control network access. I will present some of
the previous issues identified, what was the root cause, and how these
have been fixed in current technology. In addition we will talk about
how this can help to enhance security in your environment, and what
controls must be in place in order to implement such an environment. We
will also touch on how this can complicate your application environment,
but improve overall security.

I will touch on the controls that need to be reviewed and audited when
working with VMware, VLANs, and web applications, to ensure that these
networks are secure, and what to look for to potentially pass audit
criteria. I will also talk about where and how these controls have been
implemented in order to protect thousands of users while accessing one
of the most hostile networks in the world.

Speaker Bio:
David has over 9+ years of computer security experience including,
consulting, engineering and administration. He has performed security
assessment projects for health care, nuclear, manufacturing,
pharmaceutical, banking and educational sectors. As an active
participant in the information security community, he volunteers at
DEFCON where he designs and implements the Firewall and Network for what
is said to be the most hostile network environment in the world.

He is also an active participant in the local Minneapolis security
groups both as a board member of OWASP MSP and DC612. His roots and
experience come from working for a large enterprise banks, designing and
managing enterprise security systems. In the more recent years he has
been working as an Information Security Consultant to review the
security and architecture of information computing environments.

The shuttle runs until 10:45PM. The shuttle costs $1 per ride, but fees are rarely collected ;)

Thursday December 17th 2009

Topic: Pulling the Plug: Security Risks in the Next Generation of Offline Web Applications

Presenter: Michael Sutton

Summary:
As the line between desktop and web applications becomes increasingly blurry in a web 2.0 world, browser functionality is being pushed well beyond what it was originally intended for. Persistent client side storage has become a requirement for web applications if they are to be available both online and off. This need is being filled by a variety of technologies such as Gears (formerly Google Gears) and the Database Storage functionality included in the emerging HTML 5 specification. While all such technologies offer great promise, it is clear that the vast majority of developers simply do not understand their security implications.

Researching a variety of currently deployed implementations of these technologies has revealed a broad scope of vulnerabilities with frightening implications. Now attackers can target victims not just once, but every time they visit a site as the victim now carries and stores the attack with them. Imagine a scenario whereby updated confidential information is forwarded to an attacker every time a victim interacts with a given we application. The attacker no longer needs to worry about timing their attacks to ensure that the victim is authenticated as the victim attacks himself! Limited storage? Cookies that expire? Not a problem when entire databases are accessible with virtually unlimited storage and an infinite lifespan. Think these attacks are theoretical? Think again. In this talk we dive into these technologies and break down the risk posed by them when not properly understood. We will then detail a variety of real-world vulnerabilities that have been uncovered, including a new class of cross-site scripting and client-side SQL injection.

Speaker Bio:

Michael Sutton has spent more than a decade in the security industry conducting leading-edge research, building teams of world-class researchers and educating others on a variety of security topics. As VP of Security Research, Michael heads Zscaler Labs, the research and development arm of the company. Zscaler Labs is responsible for researching emerging topics in web security and developing innovative security controls, which leverage the Zscaler in-the-cloud model. The team is comprised of researchers with a wealth of experience in the security industry.

Prior to joining Zscaler, Michael was the Security Evangelist for SPI Dynamics where, as an industry expert, he was responsible for researching, publishing and presenting on various security issues. In 2007, SPI Dynamics was acquired by Hewlett-Packard. Previously, Michael was a Research Director at iDefense where he led iDefense Labs, a team responsible for discovering and researching security vulnerabilities in a variety of technologies. iDefense was acquired by VeriSign in 2005. Michael is a frequent speaker at major information security conferences; he is regularly quoted by the media on various information security topics, has authored numerous articles and is the co-author of Fuzzing: Brute Force Vulnerability Discovery, an Addison-Wesley publication.

Wednesday, October 14th 2009

This is a restaurant/bar with plenty of seating, but room for a projector is out of the question so this would be an informal round table discussion.

I have a presentation I'm working on regarding WAFs and Vulnerability Assessment Tools. If it pleases the group, I'd love to go over the presentation and discuss everyone's experiences. Also, it's a great way to get feedback :)

Apr 30, 2009 6:30PM-8:30PM

Our fourth OC OWASP meeting will be an informal, roundtable discussion of current application security issues. Feel free to bring some ideas, code, slides, etc to contribute to the discussion. Hope to see everyone there!

Feb 19, 2009 6:30PM-8:30PM

Come talk application security at the third OWASP OC meeting. We'll discuss current application security topics and chapter issues over pizza. We have a room booked for 15-20 people so we'll be able to rant without disturbing the patrons :) See you there! Presentation Slides

Aug 27, 2008, 7 PM - 9 PM

Come meet up with web security professionals, have some pizza, and offer your thoughts for the direction of the OC chapter at our inaugural meeting! We are looking for speakers and venue sponsors for the next meeting. If you are interested, please contact the chapter leaders. Everyone is welcome to join us at our chapter meetings.